Using 2FA phone numbers for targeted advertising. One of the dumbest ways ever for a company to abuse its users’ trust. Take a bow, Twitter. And have a $150 million fine too.

Using 2FA phone numbers for targeted advertising. One of the dumbest ways ever for a company to abuse its users' trust. Take a bow, Twitter. And have a $150 million fine too.

What’s happened?

Twitter has been fined $150 million by the United States Federal Trade Commission (FTC), after it used phone numbers submitted by users to set up two-factor authentication… for targeted advertising.

As FTC Chair Lina M. Khan describes:

“Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads. This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue.”

What?? You’ve got to be kidding me?

Sadly not. Dumb isn’t it?

Sign up to our free newsletter.
Security news, advice, and tips.

Everyone who works in technology knows that it’s a good idea to harden the security of your online accounts by enabling two-factor authentication (2FA). It’s one of the simplest ways in which you can better protect your account from being hacked.

So why on *earth* would a company like Twitter want to undermine the general public’s confidence in 2FA, by helping advertisers target people through phone numbers and email addresses that had been collected to better secure their accounts?

This is stupid.

Yes, I can’t think of any other company which would be so dumb as to allow advertisers to target individuals by exploiting phone numbers only shared for the purposes of 2FA.

Oh, hang on. Yes, I can.

Facebook.

Facebook did this too?

Yes.

In 2018, researchers at Northeastern University discovered that was exactly what Facebook had been doing.

Words fail me.

The thing is, it’s hard to believe that both Twitter and Facebook didn’t know what they were doing – and yet they carried on regardless.

Twitter failed to disclose how it was going to exploit users’ phone numbers collected for 2FA purposes from May 2013, all the way until September 2019. Then, in October 2019, it revealed what it had been doing all those years, and apologised.

So should I disable 2FA on my Twitter account?

Definitely not. Twitter says it hasn’t been misusing your phone number since 2019. Which is jolly nice of them.

And any form of two-factor authentication is better than none at all.

But you might be smarter to enable 2FA on Twitter through an authentication app or security key, rather than your phone number.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.